cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1118
Views
0
Helpful
3
Replies
pratheesh.venu
Beginner

Restricting access to a URL based on the client certificate

Hi,

I am using a Cisco ACE want to explore options available for controlling access to web url.

Is it possible  to restrict access to a URL based up on the client certificate.

I wan to keep the URL open to the internet and accessible only for a limited set of users. I will be generating self certificate and will distribute the client certificate to those specific set of users. This way I can control access to the URL without having to change the firewall rules etc

Please share your thought and let me know if any of you have implemented similar solution

Regards

Pratheesh

1 ACCEPTED SOLUTION

Accepted Solutions
Kanwaljeet Singh
Cisco Employee

Hi Pratheesh,

If you are going to use client authentication in SSL and if client authentication fails since not all users will have client cert provided by you, SSL handshake will not complete and hence no access. But this is a performance impacting option. Restricting access on FW would be a good option.

During the flow of a normal SSL handshake, the server sends its certificate to the client. The client verifies the identity of the server through the certificate. However, the client does not send any identification of its own to the server. When you enable the client authentication feature on the ACE, the ACE requires that the client sends a certificate to the server. The server then verifies the following information on the certificate:

The CA has not revoked the certificate.The certificate signature is valid. The valid period of the certificate is still in effect. A recognized CA issued the certificate.

You can specify the certificate authentication group that the ACE uses during the SSL handshake and enable client authentication on this SSL proxy service by using the 

authgroup command in SSL proxy configuration mode. The ACE includes the certificates configured in the group with the certificate that you specified for the SSL proxy service

Regards,

Kanwal

View solution in original post

3 REPLIES 3
Kanwaljeet Singh
Cisco Employee

Hi Pratheesh,

If you are going to use client authentication in SSL and if client authentication fails since not all users will have client cert provided by you, SSL handshake will not complete and hence no access. But this is a performance impacting option. Restricting access on FW would be a good option.

During the flow of a normal SSL handshake, the server sends its certificate to the client. The client verifies the identity of the server through the certificate. However, the client does not send any identification of its own to the server. When you enable the client authentication feature on the ACE, the ACE requires that the client sends a certificate to the server. The server then verifies the following information on the certificate:

The CA has not revoked the certificate.The certificate signature is valid. The valid period of the certificate is still in effect. A recognized CA issued the certificate.

You can specify the certificate authentication group that the ACE uses during the SSL handshake and enable client authentication on this SSL proxy service by using the 

authgroup command in SSL proxy configuration mode. The ACE includes the certificates configured in the group with the certificate that you specified for the SSL proxy service

Regards,

Kanwal

View solution in original post

Thank You Kanwaljeet.

I am planning to use a Self Signed certificate.

As you indicated, normally we will load only the Server certificate to ACE and associate with the URL.

In  my scenario, will I have to load ( private CA certificate (bundle) and the Server Certificate and Cleint Certificate) to the Ace?

I would need to restrict the access only for the set of users with the client certificate I intend to share. I understand the comment on performance, however Firewall restriction is not an option at this time.

Do you have any configuration template on this. Thank You.

Thank you and appreciate your time.

Regards

Pratheesh

Hi Pratheesh,

You will need just the Root certificate that was used to sign the client certificates.  You dont need to upload the client certificates to the ACE

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
Content for Community-Ad
This widget could not be displayed.